我可以用脚本自动检查“用该对象的可继承权限条目替换所有子对象权限条目”吗？

首先，我知道有为此创建的软件，但我试图将其展示给一个严格禁止任何旧应用程序进入环境的企业。我有一个 Powershell 脚本，它完全可以满足我的需要……几乎。我试图从系统中完全删除用户配置文件，但未能删除最后一个文件夹、子文件夹和文件，以及整个用户文件夹本身。

这是将删除我选择的任何用户以及排除我选择的任何用户的脚本。效果很好！它从设置中删除配置文件，从 regedit 中删除密钥，并从“查看高级系统设置”中删除用户

$usersToDelete = "userb"
$excludedUserNames = "Administrator", "DefaultAccount", "Guest", "vboxuser"

foreach ($user in $usersToDelete) {
    Get-LocalUser $user | Remove-LocalUser
}

Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.LocalPath -match "^C:\\Users\\($([string]::Join('|', $usersToDelete)))$" -and $_.SID -notmatch "^S-1-5-18$" -and $_.SID -notmatch "^S-1-5-19$" -and $_.SID -notmatch "^S-1-5-20$" } | ForEach-Object {
    $sid = $_.SID
    $username = $_.LocalPath -replace "^C:\\Users\\"
    if ($username -notin $excludedUserNames) {
        Remove-WmiObject -Class Win32_UserProfile -Filter "SID='$sid'" -ErrorAction SilentlyContinue
        $userPath = "C:\Users\$username"
        if (Test-Path $userPath) { Remove-Item $userPath -Recurse -Force }
        Remove-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$sid" -Recurse -Force -ErrorAction SilentlyContinue
        Remove-Item -Path "C:\Users\$username" -Recurse -Force -ErrorAction SilentlyContinue
        
        foreach ($user in $usersToDelete) {
            Get-LocalUser $user | Remove-LocalUser
        }
    
    }
    
}
$usersToDelete = "userb"

foreach ($user in $usersToDelete) {
    $userPath = "C:\Users\$user"
    if (Test-Path $userPath) {
        Remove-Item $userPath -Recurse -Force
    }
}

不幸的是，它在 Windows 资源管理器中的文件夹中被阻止。它被阻止的主要文件夹是“C:\Users\USERNAME\AppData\Local\Application Data” 我找到了一个修复程序，可以让我运行此脚本并删除整个用户文件夹。 选中“用该对象的可继承权限条目替换所有子对象权限条目”，右键单击我要删除的用户文件夹 -> 属性 -> 安全 -> 高级。 一旦我选中该框并重新运行脚本，据我所知，该用户已从 PC 中完全删除。有没有办法将其自动生成批处理文件或（甚至更好）将其放入我的脚本中？我需要能够为多个用户以及我选择的用户执行此操作。谢谢！

这些是我试图授予自己权限的几个批处理文件，但总是有一些文件或文件夹返回“访问被拒绝”错误。

set folder="C:\Users\userb\appdata"
takeown /F %folder% /R /D Y
icacls %folder% /reset /T
icacls %folder% /inheritance:r /grant:r "Authenticated Users":(OI)(CI)F /T
icacls %folder% /setowner "NT AUTHORITY\SYSTEM" /T
icacls %folder% /grant:r "SYSTEM":(OI)(CI)F /T
pause

set folder="C:\Users\userb\appdata"
takeown /F %folder% /R /D Y
icacls %folder% /reset /T
icacls %folder% /inheritance:r /grant:r "Authenticated Users":(OI)(CI)F /T
icacls %folder% /setowner "NT AUTHORITY\SYSTEM" /T
icacls %folder% /grant:r "SYSTEM":(OI)(CI)F /T
pause

这是 ChatGPT 给我的一些解决方案。这些都不起作用。

``$FolderPath = "C:\Users\usera\AppData\Local\Application Data"

# Get the folder object
$FolderACL = Get-Acl -Path $FolderPath

# Enable inheritance for all child objects
$FolderACL.SetAccessRuleProtection($false, $true)

# Apply the changes to the folder
Set-Acl -Path $FolderPath -AclObject $FolderACL


Other script that may grant access
icacls C:\Users\vboxuser\AppData\Local /grant USERNAME:(OI)(CI)F /T`

也许这也是\

`# Remove the user profile
Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.SID -eq $UserSID } | ForEach-Object {
    $ProfilePath = $_.LocalPath
    Remove-WmiObject -InputObject $_
    Remove-Item -Path $ProfilePath -Recurse -Force
}

就是从这个

# Specify the username whose profile you want to remove
`$Username = "UserA"`

# Get the SID of the user
`$UserSID = (Get-LocalUser -Name $Username).SID.Value`

# Remove the user profile
`Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.SID -eq $UserSID } | ForEach-Object {
    $ProfilePath = $_.LocalPath
    Remove-WmiObject -InputObject $_
    Remove-Item -Path $ProfilePath -Recurse -Force
}`

# Remove the user's registry key
`Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$UserSID" -Recurse -Force`

# Remove the user account
`Remove-LocalUser -Name $Username -Force``

$profilePath = "C:\Users\vboxuser"

$shell = New-Object -ComObject Shell.Application
$folder = $shell.NameSpace($profilePath)
$item = $folder.Self

$security = $item.GetAccessControl(1)
$securityDialog = $folder.ParentFolder.ParseName($item.Name).InvokeVerb("properties")

Start-Sleep -Milliseconds 1000

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{TAB}{TAB}{TAB}{TAB}{SPACE}")

Start-Sleep -Milliseconds 500

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{DOWN}{TAB}{TAB}{SPACE}")

Start-Sleep -Milliseconds 500

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{SPACE}")

Start-Sleep -Milliseconds 500

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{ENTER}")

Start-Sleep -Milliseconds 500

$securityDialog.Close()

这个我也试过了，还是不行。 https://stackoverflow.com/questions/71876626/how-to-replace-all-child-object-permission-entries-with-inheritable-permission`